I already explained you how Joomla!'s login and how Admin Tools' plugin works. As you understand, the log data you describe are inconclusive. They only tell us that a user was bouncing between two pages. Also, the explanation that the user logged in is an arbitrary one. You CAN'T possibly see that in the log file. At best you can see a POST request. You can't see the outcome (in Joomla! 1.5, at least). What you did is to fill in the missing information with arbitrary data. This arbitrary data you used sounds intuitive, but in fact would only work in the event Joomla! and Admin Tools were animate objects, developing free will and working in a completely different way than they are programmed to. Since they are not, your explanation is obviously false. So, what's going on? We'll have to take an educated guess.
Unfortunately Joomla! 1.5 does not allow us to see from the log file if the user is logged in or not. Even in the case of an error page it return a 200 OK status. It is very likely that what you see is this: User goes to the page, enters his login data. User is denied login which means that Joomla! returns him to the previous page. User insists. User is denied login again and returned to the previous page. User is stubborn and tries again. At this point he triggers his third failed login within a few minutes. And now my turn to fill in the picture with arbitrary data: I suppose that you are using the default values in WAF Configuration which would allow a maximum of 3 security exceptions per a small amount of time. I suppose these login failures happened during this time frame. I suppose you are using the "Treat failed logins as security exceptions" option. Based on these assumptions it is perfectly clear why the user's IP address (and not the user, as you claim – these are two very different things, mind you!) was blocked. You can take a look at the Security Exceptions Log to verify this.
Now, if you do not see the IP address of the user being blocked but the user account itself (the Blocked setting is set to Yes in the User Manager) you can rest assured that Admin Tools did not do that. Admin Tools does not disable user accounts. It would be moronic to do so and I can prove it. If Admin Tools would do that and I were a malicious hacker, I'd first take a look at your site. Chances are I'd be able to figure out your username. I'd then write a script to rapidly try to login with your username and false passwords. Thus, I'd get you blocked from your own site. That's why such a feature would be moronic, therefore it is not implemented in Admin Tools.
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!